Complying with FFIEC GuidanceProven Security Solutions for Financial InstitutionsFirst issued in 2005, the Federal Financi...
Guidance & Recommendation                                                                             Entrust Enables FFIE...
Entrust IdentityGuard Mobile:                                             Entrust TransactionGuard:Transaction Verificatio...
Entrust EV Multi-Domain SSL Certificates:                                                                     Entrust & Yo...
Upcoming SlideShare
Loading in …5

Complying with FFIEC Compliance


Published on

Entrust provides the guidance, expertise and proven solutions to help banks and financial institutions comply with the FFIEC's latest requirements and recommendations.

Published in: Technology, Economy & Finance
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Complying with FFIEC Compliance

  1. 1. Complying with FFIEC GuidanceProven Security Solutions for Financial InstitutionsFirst issued in 2005, the Federal Financial Institutions Examination Council’s (FFIEC) Who is Affected?guidance for financial institutions took a strong stance in support of the deployment • Banksof stronger authentication methods, as well as fraud detection techniques, to protect • Thriftscustomer identities and information during online banking transactions. • Mortgage lendersUpdated in 2011, the “FFIEC: Authentication in an Internet Banking Environment” • Credit unions (and their non-functionallyguidance recognizes the significant advances in criminal threats — both in sophistication regulated operating subsidiaries)and sheer frequency. The supplement provides additional comprehensive guidelines • U.S. branches and agencies of foreign banksto help stop advanced attacks that target the identities and transactions of consumersand business-banking customers. • U.S. commercial-lending companies of foreign banksLike the original, the updated guidance is supported by all five members of the • CreditorsFFIEC, which is an interagency body in the United States that sets the principles • Any person or business* who arrangesand standards used for reporting and examining financial institutions. for the extension, renewal or continuation of creditEntrust provides the guidance, expertise and proven solutions to help banks andfinancial institutions comply with the FFIEC’s latest requirements and recommendations. * In addition to banking institutions, retailers,To help organizations protect against a broad range of online and mobile threats, utilities, car dealers and many other businessesEntrust offers the broadest range of solutions to ensure that an effective balance are subject to this regulation.of security, user experience and total project cost is achieved.A New FocusThe original 2005 FFIEC guidance was a major impetus to the adoption of strongerauthentication beyond standard username and password schemes.But the growth of online threats, such as the ZeuS Trojan and man-in-the-browserattacks, coupled with the growing losses among business, served as the catalyst forthe FFIEC to revisit those guidelines.With a focus on the ongoing threats to customer- and business-banking transactionsand respective identities, the FFIEC’s updated guidance addresses the following areasof focus.
  2. 2. Guidance & Recommendation Entrust Enables FFIEC ComplianceDrive Better Risk Assessment Much like with the 2005 FFIEC guidelines, Entrust offersFinancial institutions require a better understanding of the proven solutions to help organizations and financialsophisticated threats and their appropriate, timely response. institutions comply with the new mandates. Entrust’sThis includes guidance for regular reviews by the banks of comprehensive security framework — comprised of severalinternal systems and the ability of these systems to detect proven security solutions — is cost-effective, simple to deployand deal with fraud threats. and easy for end-users.Adopt Stronger Authentication Standards Entrust IdentityGuard:While the 2005 guidance stated that usernames and passwords Software Authentication Platformweren’t enough, today’s threats require even stronger means of Much of the FFIEC guidance focuses on the adoption of strongauthentication, particularly for high-risk transactions (e.g., ACH authentication — for consumers and commercial banking useand wire transfers for commercial transactions). alike. Banks are directed to provide commercial customers with strong multifactor authentication. It also requiresPush toward Layered Security financial institutions to adopt the use of stronger transparentMultiple layers of process or controls have been proven to help authentication — such as session-based device authenticationdefend against identity attacks, including advanced malware. (e.g., one-time cookie or dynamic device authentication) —If one security layer fails, subsequent barriers are in place to thwart that is stronger than simple device attack. Step-up security options can include out‑of‑bandauthentication and advanced transaction verification. Entrust IdentityGuard is a software authentication platform that enables banks to deploy a single authenticationExplore Advanced Authentication Techniques infrastructure capable of providing different types ofAs online fraud attacks increase in sophistication, so does the multifactor authentication, depending upon the typeinnovation in authentication technology required to stop the of user, transaction or risk.attacks in the consumer space. Financial institutions should explore, Just one of the many authenticators supported byfor example, advanced techniques like device authentication Entrust IdentityGuard, digital certificates can be deployed easilyvia one-time session cookies or stronger challenge questions. by Entrust Managed Services PKI — a simple, cost‑effective hosted PKI offering. While providing a convenient authenticationProvide Technology Guidance for Compliance mechanism for users and devices, digital certificates also enableThe FFEIC now provides instruction on technology and banks to tighten security processes within the institution andsolutions, particularly fraud detection platforms, which will enhance security of internal effective in meeting the new guidelines. This includes fraudtransaction monitoring and/or anomaly detection software. Scratch Pad Mobile Transaction SMS Verification Device Digital Authentication Certificates Knowledge Grid Based IP-Geolocation OTP Tokens Password USB and Smartcards Mutual SOFTWARE AUTHENTICATION PLATFORM Authentication BiometricsFigure 1: A software authentication platform enables financial institutions to select the right authenticator for each user or device based on risk, cost and/or transaction type.
  3. 3. Entrust IdentityGuard Mobile: Entrust TransactionGuard:Transaction Verification Real-Time Fraud DetectionThe updated FFIEC guidance requires banks to Banks are now required to maintain systems capable ofensure systems are in place that thwart attacks preventing fraud attacks and have the ability to analyzewith a layered security approach. In addition incidents that have occurred. The guidance specificallyto providing a convenient, cost‑effective addresses security solutions effective in combating online fraud,approach for stronger authentication via soft including approaches that provide transaction monitoring andtokens, Entrust IdentityGuard Mobile also anomaly detection (i.e., software that detects transactions thatenables out‑of‑band transaction verification. may be inconsistent with established patterns of behavior).This helps users verify whether transaction integrity is intact Entrust TransactionGuard provides robust, real-time capabilitiesor if it has been modified by some form of fraud attack. to protect against online fraud, and offers forensic capabilitiesTransaction verification is a proven approach for banks to to analyze ongoing and/or past transactions to identifydefeat many types of online and mobile malware threats. potential fraudulent activity. Solution Guidance Entrust Entrust Entrust Entrust EV Details IdentityGuard IdentityGuard Transaction Multi-Domain Mobile Guard SSL Digital Certificates Drive Better Risk ✓ ✓ ✓ ✓ Understand how to detect and Assessment thwart threats, as well as analyze security breaches Adopt Stronger ✓ ✓ Use stronger device authentication, Authentication including one-time cookies, to Standards create more complex digital PC fingerprints; increase strength of challenge questions Push Toward ✓ ✓ ✓ ✓ Enable use of different security Layered Security functions at different points in a transaction process; if one is compromised another control is in place Explore ✓ ✓ ✓ Consider innovative security Advanced Fraud controls, including anti-malware & Authentication software for customers, transaction Techniques for monitoring, anomaly detection and Effective Controls mobile transaction verification Provide ✓ ✓ ✓ ✓ Educate customers as to how and Technology where they are protected within Guidance for today’s current fraud landscape Compliance
  4. 4. Entrust EV Multi-Domain SSL Certificates: Entrust & YouWebsite Security More than ever, Entrust understands your organization’sExtended validation (EV) SSL digital security pain points. Whether it’s the protection of information,certificates are the first line of defense securing online customers, regulatory compliance or large‑scalein thwarting online fraud — particularly government projects, Entrust provides identity-based securityphishing attacks — by providing users solutions that are not only proven in real-world environments,with a strong indication that they are but cost-effective in today’s uncertain economic climate.on a legitimate website. The smart choice for properly securing digital identities andUnder the new guidance, organizations are required to provide information, Entrust solutions represent the right balancethese types of simple measures (e.g., visual clues) to help users between affordability, expertise and service. For moreeasily understand easily if they are at risk during an online session. information on how Entrust can help your organization complyBanks and financial institutions are also required to implement with FFIEC guidelines, contact the Entrust representative inbetter education for their users. For example, visual clues, such your area at 888-690-2424, email oras the green address bar provided by an EV SSL certificate, are visit simple and effective way for banks to make users aware of Company Factsrisky or legitimate sites. Website: Employees: 359 Customers: 5,000 Offices: 10 globally Headquarters One Lincoln Centre 5400 LBJ Freeway, Suite 1340 Dallas, Texas 75240 USA Sales North America: 1-888-690-2424 EMEA: +44 (0) 118 953 3000 Email: entrust@entrust.comAbout EntrustA trusted provider of identity-based security solutions, Entrust empowers governments, enterprises and financial institutions in more than 5,000 organizationsspanning 85 countries. Entrust’s award-winning software authentication platforms manage today’s most secure identity credentials, addressing customer pain pointsfor cloud and mobile security, physical and logical access, citizen eID initiatives, certificate management and SSL. For more information about Entrust products andservices, call 888-690-2424, email or visit is a registered trademark of Entrust, Inc. in the United States and certain other countries. In Canada, Entrust is a registered trademark of Entrust Limited. All other Entrust product names and servicenames are trademarks or registered trademarks of Entrust, Inc. or Entrust Limited in certain countries. All other company names, product names and logos are trademarks or registered trademarks of theirrespective owners. © 2012 Entrust. All rights reserved. 24352/5-12