NCUA Disclosed FFIEC Draft

Regulator Mistakenly Posted Authentication Guidance
NCUA Disclosed FFIEC Draft
The National Credit Union Administration confirms it was the source that disclosed the draft authentication update from the Federal Financial Institutions Examination Council.

According to representatives of the NCUA's Office of Examination, the draft of the FFIEC's "Interagency Supplement to Authentication in an Internet Banking Environment" was posted on Dec. 30, the day before the formal guidance was expected to be made public.

"FFIEC agencies were originally scheduled to jointly release the document by 12/31/2010," the NCUA said in response to inquiries from Information Security Media Group. "There was, however, a delay with the approval processes at one FFIEC agency. NCUA did not receive notification in time to prevent the public release of the document. As soon as [the] NCUA received notification that one of the other FFIEC agencies had a delay in the approval process, [the] NCUA removed the document from its website as this document was intended as a joint release by FFIEC agencies."

The draft was available on the NCUA site for four to five days over the New Year's holiday, during which time it was downloaded 1,100 times, according to the NCUA. Since then, the draft has circulated widely throughout the banking industry. ISMG published excerpts of this draft on Feb. 22.

ISMG has not been able to confirm which of the FFIEC's member agencies held up the publication of the guidance.

Disclosure's Impact?

In short, the FFIEC draft calls for:

This pending supplement - the FFIEC's first statement on authentication since its original 2005 guidance - has been long awaited by industry practitioners, analysts and vendors alike.

Regulators have not indicated when the final guidance will be issued. But information security attorney David Navetta says premature disclosure of the draft guidance may have slowed the process.

Although the disclosure was an "innocent error," Navetta says, it has likely fueled further delays and regulator concerns. "From a public perspective, seeing a draft of what's being proposed helps us know what the regulators are thinking," he says, but it also opens the FFIEC to additional feedback on its proposed guidelines. "It could pose some problems for the actual guidance."

George Tubin, a TowerGroup analyst who focuses on fraud and security, agrees the disclosure likely has contributed to the delay. "I've never seen this happen before, and I think it's caused some problems," he says. "It's been two months now since it went out on the website, and we still don't have anything official. That's a long time."

No high-profile fraud incidents have been reported since the accidental disclosure, but banking and security executives, in particular, anxiously await the final guidance. Not that the guidance alone will prevent fraud incidents, but practitioners are eager for regulators' latest recommendations on hot topics such as multifactor authentication and layered security. As David Shroyer, a former Bank of America executive, said in a recent interview about the drafted guidance, "Financial institutions live and die by this guidance."

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by, ABC News, and MSN Money.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.