What banks can do to respond to new FFIEC guidelines

The Federal Financial Institutions Examination Council (FFIEC) recently announced updates to its guidance for electronic banking channels. It was the first time in 10 years that FFIEC has updated its guidelines - and the first time that bank employees and third parties are included in authentication guidance.  

Overall, the updated FFIEC guidance is too little, too late, and doesn’t provide a clear path forward for risk management teams. The trouble is the recommendations are just that, recommendations. The guidelines lack any clear mandates that would have given risk managers or CROs the argument they need to urge for bigger budgets. That said, there’s plenty in the new FFIEC guidelines to implement immediately. 

5 Tips for Banks to Respond to FFIEC Guidelines

While FFIEC’s guidelines might lack mandates or clarity, there’s plenty banks can do to enhance external-facing and internal-facing operations and address vulnerabilities in their digital banking services. 

1. Banks Should Closely Watch Internal Players

The most important new FFIEC guideline impacts internal bank employees and third-party providers that have access to an FI’s systems. Now, the same risk-based authentication solutions and controls that banks implement for their customer-facing operations should also be applied to the bank’s internal systems. This means employees face the same level of multi-factor authentication (MFA) or behavioral biometric screening as customers. Banks need to think carefully about their ID and authentication management programs and strictly enforce their access management protocols – including remote access – to authentication controls, how users interact with it, and whether their interactions appear legitimate. 

2. Make Risk Assessment an Ongoing Process

Under FFIEC’s new recommendations, banks will be required to assess the risk level of all of the products and services in their portfolios. But FFIEC’s guidelines don’t go far enough in recommending how often these risk assessments should take place. The truth is that as business evolves and markets shift, every product and service will face a new level of risk to both customers and to the bank. With this in mind, banks should perform risk assessments for all products to ensure their customers and bottom lines are safe from fraudsters. Assessments can be reviewed via a socialization workflow while changes can be approved after an internal committee approval. They should also be performed to keep pace with the bank’s latest expansions or following the launch of new products and features.

3. Seek Independent Risk Assessments

Banks should also consider assessing the quality of their own risk assessments. However, as we all know, it’s not always easy to grade your own homework. That’s why banks should urge their CROs or COOs to bring in an independent third party to conduct a thorough end-to-end risk assessment of the bank’s operations. An outside perspective brings valuable insights that an internal team would otherwise overlook. 

It’s understandable that some might balk at the idea of an outsider coming in and assessing how the bank operates. The best way to respond to these protests is to remind teams that it’s better to hire someone to uncover gaps in a risk assessment program instead of having the Office of the Comptroller of the Currency (OCC) launch its own investigation. An OCC investigation could result in a matter requiring attention (MRA) ruling or a consent order. This means the bank will be unable to perform certain functions or provide its full range of services until all outstanding issues are resolved. An OCC investigation can also damage the bank’s public reputation. 

4. Apply KYU to Call Centers

One of the new FFIEC guidelines specifically notes that banks should perform a “comprehensive risk assessment” for their call centers. However, FFIEC’s new guidance is vague and fails to address the wide range of tools that bad actors use to deceive call center employees and interactive voice response (IVR) authentication systems. These include social engineering scams, voice phishing (or vishing) attacks, and even swapping SIM cards from stolen phones and adding them to burner phones. This last tactic enables fraudsters to pass off a legitimate user’s smartphone as their own – which means call centers could unwittingly fall for fraud. 

Banks need their call centers to take a holistic view of a user’s phone (device) and telco relationship to understand if it has been compromised. Banks should go farther than what the FFIEC guidelines recommend and adopt holistic solutions that empower call centers to implement strong know your user (KYU) practices. This gives call center staff a clearer view of whether a transaction is a high fraud risk by providing access from all available data sources.

5. A 2-Part Education Plan

Finally, banks should adopt a two-prong approach to education. The first applies to customers. The updated FFIEC guidelines urge banks and FIs to educate their customers against fraud attacks and the latest fraud trends. The new guidelines also urge banks to evaluate the effectiveness of its customer awareness efforts. I’d argue that banks should go further and educate their customers about the benefits of shifting away from text messages and embrace in-app mobile banking, which enables more secure communication between banks and customers. 

The second education prong is internal-facing. Banks should demonstrate to employees the real impact fraud has on real people. This involves sharing stories of customers who lost large sums of money or about people who were forced to try to undo the damage to their financial reputation. Putting a human face to the damage will motivate bank staff to be more vigilant in their efforts to stop fraud and allow them to see customers as real people, not just data points.

Download the Q3 2021 Financial Crime Report: The Dollar Takes Flight to understand how the pandemic changed commerce and fraud as we know it.