The Federal Financial Institutions examination Council (FFIEC) — a group of federal financial regulators empowered to issue uniform standards for most of the financial institutions in the United States — issued new guidelines to the nation’s federal credit unions, banks, and other financial institutions. It notified them that they will have to comply with new Internet-security standards. 

Credit unions were required to comply with the new standards by Jan. 1, 2011.

The FFIEC laid out these new standards in a supplement that is an update to guidance on Internet security that it had issued in 2005, entitled “Authentication in an Internet Banking Environment.” 

The original 2005 guidance

The 2005 guidance provided a risk-management framework for financial institutions offering products and services to their customers through the Internet. It required financial institutions to use effective methods to authenticate the identity of customers. 

It also required financial institutions to implement Internet-security techniques commensurate with the risks associated with the products and services offered and the importance of the protection of sensitive consumer information. 

The 2005 guidance also provided minimum supervisory expectations for effective authentication controls applicable to high-risk online transactions involving access to consumer information or the movement of funds to other parties (such as automated payments and other electronic-funds transfers). 

In addition, the 2005 guidance required financial institutions to perform periodic risk assessments and adjust their Internet-security control mechanisms as appropriate in response to the ever-changing threats from cybercriminals.

New supplement requirements

The purpose of the supplement to the 2005 guidance is to reinforce the guidance’s risk-management framework and update financial regulators’ expectations regarding customer authentication, layered security, and other controls in the increasingly hostile online environment. 

The supplement reiterates the FFEIC’s expectations outlined in the 2005 guidance that financial institutions must perform periodic risk assessments that consider new and evolving threats to online accounts and adjust their customer authentication, layered security, and other controls as appropriate in response to identified risks. 

The supplement establishes minimum control expectations for certain online-banking activities and identifies controls that are less effective in the current environment. It also identifies certain specific minimum elements that should be part of a financial institution’s customer awareness and education programs.

Update Internet risk assessments

The first specific expectation for financial institutions in the supplement is that they will be required to renew and update their Internet-security risk assessments whenever new threat information becomes available or whenever they introduce new services. 

Even if financial institutions do not introduce any new online services or receive any new threat information, at a minimum they will be required to review their risk assessments at least once a year. 

These updated risk assessments should consider changes in the threat environment, changes in the customer base using electronic services, changes in the way banks and credit unions deliver those services, and any actual experiences of security breaches by the financial-services industry. 

Provide layered Internet security

In addition, the supplement requires financial institutions to provide layered Internet security. The intent is that the strength of other security barriers can compensate for vulnerable security controls.

It is expected that security programs will, at a minimum, contain processes to detect and effectively respond to suspicious activity when a consumer logs into his/her account or initiates an electronic transfer. 

It is expected that there will be enhanced controls for system administrators who are granted privileges to set up or change system applications related to business accounts. 

Credit unions and banks will be required to utilize controls to cover both initial account access and subsequent account-transaction processing if they engage in “high risk Internet transactions.” 

High-risk transactions are defined to include automated-payment services and commercial financial services. Given this broad definition, it is likely that most financial institutions will fall into this category. 

Educate consumers

Finally, credit unions and banks will be required to educate consumers. 

First, they will have to advise consumers about the protections provided, as well as the protections not provided by Regulation E, the federal regulation governing electronic fund transfers. 

Second, they will have to disclose to consumers that they will be asked to provide their electronic-banking credentials, and that they will contact the authorities when they detect suspicious account activity. 

Aside from technical guidance, this new set of rules for credit unions and banks is a clear reminder that preventing fraud continues to be a significant goal of federal regulators. 

It is also a reminder that Internet-security measures will not only have to withstand attacks by hackers, they will also have to withstand the scrutiny of federal officials.     

Neil J. Smith is an attorney with Mackenzie Hughes LLP in Syracuse and handles business, bankruptcy, and creditor’s rights issues for a variety of clients. Contact him at (315) 233-8226.

New York’s Gov. Andrew Cuomo intrigues me. What he is trying to do may impact the entire country some day.

Cuomo is from the left, of course. He gets a lot of campaign money from the left. Teachers’ unions and the education lobby give him big bucks. So do the unions for state and municipal workers.

And yet, he is confronting them. He is forcing the issue of teacher evaluation. Basically, the teachers’ unions don’t want teachers to be evaluated seriously. They fight against identifying the poor-performing teachers. They fight against these teachers getting the boot. They put up various smokescreens and say they just want fairness. Right.

Meanwhile, your school cannot sack its hopeless teachers — because the union will fling so many roadblocks at the school. Overcoming the roadblocks will cost more than a new gym. So, schools put up with incompetence. And, the kids take it on the chin.

Cuomo is challenging this ridiculous racket. He is threatening to put teeth into the evaluations.

The governor is also confronting civil servants — over their pensions and other benefits. Now, you cannot blame unions for wanting to hang onto the existing benefits. They are fat, compared with benefits in the private sector.

Cuomo proposes that new hires pay a bit more toward their pensions. And that they retire three years later than current public employees. He also suggests the pension program begin to shift toward a 401(k)-type system — like those that cover private employees.

These are hardly radical changes. But they will save cities and the state billions in the long run. Of course, the unions immediately condemned them and predicted they will end life on the planet.

What intrigues me is that Cuomo shows the courage to tackle the left. Politicians know that leaders from the left can tame abuses on the left. Sometimes, they can achieve more in this regard than leaders from the right. In negotiations, they cut through the bluster and propaganda. They basically say, “Hey, guys, you know we’re on the same side. I wouldn’t challenge you unless it’s really necessary. Well, it’s really necessary.”

This gives the negotiators on the left some cover. They cause a big stir in the papers. They whine big time. But they admit to their members, “The governor wouldn’t force this if he didn’t have to. If we had a right-wing guy in Albany, things would be a lot worse.”

If you want to find an example of this phenomenon on the right, consider Richard Nixon. He was stubbornly anti-communist. Fiercely right-wing. Yet, it was Nixon who opened our first public discussions with Red China.

These are early days for Cuomo. Pre-negotiations. We will have to wait to see how tough he is in adding flesh to his proposals. If he is successful, the success could have national ramifications. 

He probably wants to run for the White House. The costs of education and civil service in New York are bloated. They cause higher taxes and help cripple the state’s economy. If Cuomo reins in the teachers and civil servants in New York, he will contain some of those costs. That should take pressure off taxes. This will help the state prosper. 

This would give him a reputation that will help him with Democrat movers and shakers nationally. They like candidates from the left who can tame the extremes on the left. Such candidates are better able to win the all-important voters from the middle — the ones who decide who wins the presidency.

From Tom…as in Morgan.   

Tom Morgan writes about financial and other subjects from his home near Oneonta, in addition to his radio shows and new TV show. For more information about him, visit his website at www.tomasinmorgan.com