Postponing Compliance Efforts is Just Delaying the Inevitable
by David Blazier
Head Cheerleader and Marketing Mogul, TraceSecurity
davidb@tracesecurity.com
Part of the FFIEC’s justification for updating the customer authentication guidance is because they have recognized a significant portion of institutions still have inadequate risk assessments and ineffective controls in place to protect against ever-evolving threats to online transactions.
I am a chronic procrastinator. As proof, consider that I recently went 26 months without renewing my vehicle’s inspection sticker which, under normal circumstances, expires after 12 months. These stickers begin looking outdated way before they expire, so after being stuck to my windshield for a total of 38 months, my antiquated sticker had faded well beyond the point of being readable…it had started to flake off. It truly confounds me that such an obvious transgression went unnoticed by the hundreds of police officers that must have seen me drive by.
The only reason the car is now in compliance is because my loving mother borrowed my vehicle one weekend and, after noticing my shameful disregard for the law, got the car inspected. When mom returned the car, I was simultaneously mortified and relieved to notice a bright and shiny new inspection sticker on the windshield. Although I was embarrassed that my mommy felt she had to take care of something her little son was obviously putting off indefinitely, I must admit feeling the instant relief of once again being a law abiding citizen.
I think its human nature to procrastinate, especially when the penalty for postponing a task is relatively small compared to the output of work necessary to complete the task. In the case of a vehicle inspection sticker, the penalty is about a hundred bucks…not much motivation for sacrificing a whole afternoon to sit at an inspection station. But when it comes to complying with the new compliance regulations, the window of time for procrastination is quickly closing.
In the wake of the FFIEC’s recent supplemental guidance (released June 2011) which mandates all financial institutions adopt a new set of “best practice” standards for customer authentication, many credit unions now face the daunting task of preparing to meet the new standards by the compliance deadline of January 2012.
Part of the FFIEC’s justification for revising the guidelines stems from their recognition that a significant portion of institutions have grossly inadequate risk assessments and insufficient controls in place to protect online transactions. The governing agencies acknowledge that, despite the 2005 version of the FFIEC’s guidance which called for periodic updates of risk assessments that encompass emerging threats, there are still an alarming number of institutions that still have neither updated their risk assessments to account for threats to online banking systems, nor used the risk assessment’s results to determine the appropriate levels of controls necessary to mitigate threats to online transactions for both consumer and commercial members.
Therefore, the 2011 supplement reemphasizes the importance of risk assessments as the “cornerstone” of a successful risk management program by mandating that the assessment be the primary tool used for determining how authentication controls are adjusted within the “layered security” in response to new threats. At the heart of the new guidance is a requirement that institutions must either perform or review their risk assessment every year to account for the constantly evolving threats to both its internal and external environment, plus update the risk assessment as the threat landscape changes. In addition, institutions must use the results of their risk assessments to determine the appropriate levels of controls used to protect online transactions.
While these new requirements are causing many credit unions to scramble for a solution that can be developed and deployed prior to the deadline, the most significant impact may be felt at institutions that currently perform risk assessments manually using spreadsheets or ad hoc software methods. The new compliance guidelines will make it exceedingly difficult and time-consuming to maintain a database of threats, evaluate the effectiveness of existing security controls and update the risk assessment accurately using only a manual process. If your credit union has a home-grown risk assessment process, you may want to start investigating more efficient automated methods right now.
Of course, no one is suggesting that procrastination is the root cause of these new compliance standards. But after listening to countless podcasts, reading scores of articles, and hearing several regulatory officials speak about the importance of complying with the new “best practices”, I have detected a consistent underlying message that seems to say, ‘do not postpone dealing with this compliance issue’!
So if your credit union’s risk assessment is like my former inspection sticker – barely recognizable and ridiculously out of date – it is time to take corrective action. At a minimum, update your current risk assessment to incorporate online transactions, contact your third-party vendors to determine their level of support for any new controls you are considering for deployment, and establish a roadmap with a timeline for achieving compliance. Taking these fundamental steps will demonstrate to examiners you chose to be proactive in your compliance efforts rather than simply postponing the inevitable.
For more information, contact David Blazier at (225) 612-2121 ext. 31062 or davidb@tracesecurity.com.
Copyright © 2011 TraceSecurity, Inc. All rights reserved.
