FFIEC Guides Bank Notification Programs

With identity theft on the rise, regulators are urging banks to enhance security operations, protect the information of consumers, and implement systems for notifying consumers when security breaches do occur.

The Federal Financial Institutions Examination Council (FFIEC) has released for public comment the "Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice." The guidance-which fulfills a requirement in Section 501(b) of the Gramm-Leach-Bliley Act (GBLA) that requires financial institutions to protect consumer information-calls for financial institutions to develop highly specialized security and notification programs.

"The proposed guidance describes the banking agencies' expectations that every financial institution develop a response program to protect against...risks associated with internal and external threats to the security of customer information maintained by the financial institution or its service provider," says Frank Gresock, spokesperson for the FDIC, a FFIEC member agency. "The proposed guidance describes the components of a response program, which includes procedures for notifying customers about incidents of unauthorized access to sensitive customer data that could result in substantial harm to the customer."

The guidance calls for a variety of actions on the part of financial institutions. These include: 1) Assessing risk (determining, for instance, any "reasonably foreseeable internal and external threats" that could compromise customer information and the likelihood of such threats); 2) Implementing security measures (such as limiting access to customer information, implementing authentication requirements, and performing background checks on employees;, 3) Requiring similar security measures to be undertaken by any service providers used by the institution; and 4) Developing a response program (where any security breach is assessed, and notification of the breach is made to regulatory and law enforcement agencies and to consumers).

The FFIEC guidelines leave the technical components of such a security and notification system open, providing a framework for enhancing security without dictating implementation details.

NO SPECIFIC TECHNOLOGY ADVICE

For many financial institutions, complying with the guidelines will require enlisting the help of third-party security vendors. Security companies that specialize in authentication software, for instance, can help banks comply with the authentication part of the recommendations. Other companies, such as those that specialize in notification of customers and regulatory agencies, will most likely also see an increase in the demand for their services.

The key is that each financial institution will design a security program that matches its needs. "The FDIC will not recommend specific technologies that banks and thrifts should employ to conform to the proposed guidelines," FDIC's Gresock says. "Initially, each institution will need to determine for itself how to accomplish the goals of the proposed guidance depending on its size, complexity, nature of operations and other factors."

The FFIEC represents the Board of Governors of the Federal Reserve System (FRB), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), the Office of Thrift Supervision (OTS), and the FDIC.