4 Key Regulatory Issues of 2011From Authentication to Mobile, Institutions Eye Gauntlet of Guidance
In an annual preview of things to come, a panel of federal regulators and industry experts weighs in on what are likely to be the top 4 regulatory issues of the new year.
#1. Authentication:Earlier this year, the buzz from regulatory agencies was that, in response to growing fraud incidents, the Federal Financial Institutions Examination Council is reviewing the 2005 FFIEC Authentication Guidance, looking to further clarify the concepts of strong and multifactor authentication.
Agency insiders, while not willing to go on the record, say there is work being done to review and issue new guidance on the use of current authentication protocols. The big question revolves around the topic of identity management within institutions. "While it is still uncertain what revisions the agencies might make to existing authentication guidelines," says Julie McNelley, a senior analyst at Aite Group, "from an examination standpoint, we believe examination emphasis will be placed on whether the bank's identity management and authentication practices are subject to a continual review process and whether that process resulted in the appropriate layers of security being in place."
Among the other topics that could be considered for future guidance: Prescribing a layered security approach, including out-of-band authentication, device identification and transaction monitoring.
#2. Mobile, Cloud, Emerging Tech:While institutions are rushing to embrace mobile banking, cloud computing and other revolutionary technologies, regulators are watching, too, how these new technologies impact compliance and security of data. But will this scrutiny result in new guidance? Opinions are split.
Donald Saxinger, team leader and subject expert for the FDIC's Division of Supervision and Consumer Protection in the area of regulatory IT examinations, says institution should be ready to answer questions from their regulators on their use of emerging technologies like mobile, social networking and cloud computing in 2011. But don't necessarily expect to see additional regulatory guidance on the technologies.
"We wrote our guidance broad enough to cover most of these," Saxinger says. "But we are getting lots of requests for more guidance in social media and cloud computing." Usually when these requests come in, it's because the institution is looking for more specific rules, Saxinger says. Because the regulators took a risk-based approach, these decisions require a little bit more work on the part of the examiner and on the part of the bank to make the determinations. "I don't like to speculate on guidance in the future," Saxinger says. "[New] guidance isn't going to change specific to a technology, and that is what people need to realize."
Still, William Henley, the senior vice president of regulation for BITS, who formerly served as the director of IT examinations for the Office of Thrift Supervision, does believe that banking institutions can within the next 12 months expect new federal guidance regarding the use and application of mobile financial services.
"This is something that the agencies for a while now have been reviewing, and even before the expansion of consumer use of mobile banking, this was something that the agencies were aware of and were reviewing and trying to determine the best way to address through guidance," Henley says. "So, I do expect that the regulatory agencies will issue something within the next 12 months."
#3. Focus on Fraud:In many ways, 2010 was "The Year of Fraud." ATM fraud, POS attacks and ACH incidents were among the most common crimes, pushing institutions and regulators to seek new techniques to detect and prevent these crimes.
To date, federal regulatory agencies have been active in the FS-ISAC Account Takeover Task Force, including assisting in the development of recommended practices to detect, deter and respond to corporate account takeover attempts. While industry experts don't expect regulatory guidance to be issued specifically to address ACH fraud, they do expect the agencies to focus increasingly on prevention of these attacks as part of information security examinations.
One regulatory hot potato is the debate over Regulation E and whether it should be amended to offer businesses the same protections as consumers. A proposed amendment to Reg. E is on the table in the U.S. Senate through a bill introduced by Sen. Charles Schumer of New York. The amendment, as proposed, would extend Reg. E coverage to municipalities, school districts and other entities, such as churches and religious organizations. "Whether [ACH fraud] is a shared responsibility or solely the responsibility of the financial-services institutions, I don't see a lot shared in the victims' cases," says activist Jim Woodhill, one of the leading proponents of Reg. E reform. "They get stuck with 100 percent of the losses. That is fundamentally the root political issue, and it is a political issue." How that political matter plays out will be one of the dramas of the new year.
The focus on fraud, internal and external, will push regulators to focus on privacy and security issues, as well. "The rise of new technologies such as the cloud, mobile applications and social networking will only add to the already significant issues of privacy and security," says Dan Borge, director at consulting firm LECG and former risk management program lead at Banker's Trust. Banking customers as well as regulators will expect banks to rigorously protect private data and prevent malicious invasion of banking systems. A single miscue can inflict great damage on an institution's reputation. The threat potential is increasing rapidly. The question is: Which vulnerabilities should be on top of a bank's priority list, and how -- if at all -- will regulators guide these decisions?
#4. Fallout from Dodd-Frank:It's not that the industry isn't already under a magnifying glass of regulatory focus, but experts say: Expect more soon, especially in the wake of the Dodd-Frank act.
We know about Regulation Z, risk-based pricing, privacy and interchange, but an active Consumer Financial Protection Bureau could create a large amount of new guidance for banking institutions. The big unanswered question is the role and rule-making plans of the new agency. Head of the CFPB Elizabeth Warren has announced that credit cards will be the CFPB's top priority. What other issues will the new agency tackle? "Will they take advantage of their role as steward for consumer protection regulations to crack open Truth-in Savings or Regulation E? Only time will tell," says Anthony Demangone, director of regulatory compliance at the National Association of Federal Credit Unions.
The landscape is already a rocky one, yet the industry will have a harder climb out of the financial crisis/recession says Borge. "Banks will be facing pervasive regulatory complexity and uncertainty in 2011." The sprawling Dodd-Frank act and multiple initiatives launched by banking regulators "will have a massive impact on banks over many years to come," Borge says. The problem facing many institutions is the question of what action to take. Many of the specific requirements are left to regulators to determine in 2011 and beyond.
In the meantime, banking/security leaders must make business decisions without knowing for sure what the new rules of the road will be. Which products and businesses must be fine-tuned, overhauled or even abandoned? What new business opportunities will arise from the current upheaval? Is it better to act now or wait until the regulations are clarified?
Without question, the resources required to meet the new regulatory requirements of the Dodd-Frank act will be a major factor in the coming months. The vast number of regulations required by DFA will require significant regulatory and bank resources.
"Many of these regulations will require the installation of new or the refinement of existing information systems," says Doug Johnson, vice president of risk management policy at the American Bankers Association. While privacy regulations will now be the responsibility of the CFPB, information security regulations will remain a part of safety and soundness examinations. Johnson says it will be interesting to see how that plays out.
Institutions will need to put forth more time and resources to address how the DFA impacts the Fair Credit Reporting Act and the Gramm Leach Bliley Act. Specifically, institutions need to look at how to implement more protections for personal information in all forms, and throughout the entire lifecycle. Expect that there will be more FCRA & GLBA audits. Regardless of push-back from Republicans in Congress, "changes to the FCTA and GLBA will stick," says security and privacy expert Rebecca Herrold.