FFIEC impact so far

Interview

FFIEC impact so far

What comes next for the regulation?
The next steps are that we would continue to try to educate consumers on vulnerabilities and their habits. We have to look at implementation vulnerabilities; if they're not implemented properly, they could also create vulnerabilities in the technology. We need to look at technology risk. When you have new products in production, we have to see if there's any risk based on that. Institutions have to look at how it's impacted their business and how adoption has gone with customers.

Download the full interview with Michael L. Jackson at

    Requires Free Membership to View

    Login

    SearchFinancialSecurity.com members gain immediate and unlimited access to in-depth technical advice, strategies, and expert guides for securing data in high-risk financial environments. Join me on SearchFinancialSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchFinancialSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchFinancialSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

searchsecurity.com/ismag.

What's your sense for compliance? Are most financial services institutions compliant--or close?
Our early kick-of-the-tires indications are that yes, the industry has responded positively to the guidance. Keep in mind, the agencies are not doing anything different outside the normal exam process. If an organization is scheduled for an exam, the exam will proceed and we will look at the guidance. If an institution is not scheduled for an exam, we will not go in specifically to look just at the guidance. What are some of the concerns being expressed by institutions that may be struggling to comply?
Some of the questions were around whether they should do security assessments around applications, or enterprise-wide. We left it up to the organization to decide what was best. Also, who could do the risk assessment?

That could be contracted out, but the institution is still ultimately responsible for it. Other concerns were around specific technologies. Before the guidance became effective, there was talk in the press about tokens being a preferred solution. We reiterated numerous times that there was no preferred solution.

The solutions had to come out of the banks' risk assessment and business decision. What is the word on consumer pushback? Are consumers noticing the stronger authentication demands, and what's the impact on business?
I don't have a great handle on that, but early indications are that consumers are curious about it and understand it impacts them and secures their funds more than before. The bankers I've talked to, there's not a wholesale rejection of it; consumers are OK with it, it's just something that's different.