Spoon-fed security
I've been reading the recently-issued revised FFIEC guidance to US financial institutions on user authentication and related 'layered' controls, and puzzling as to why such guidance is required Is it really necessary for the FFIEC to tell banks, for example, to use "enhanced customer education to increase awareness of the fraud risk and effective techniques customers can use to mitigate the risk"? Is that not stating the bleedin' obvious? Isn't it clearly in the banks' interest to make their valued customers aware of keylogging Trojans, phishing, 419s, money-mules and a zillion other scams?
The financial institutions in which I have worked have all been hot on risk management, and have usually worked at or close to the cutting-edge of brand new security technologies. My risk, security and fraud colleagues definitely appreciated the issues relating to failing to identify and authenticate customers, not least for Internet banking systems, while on the whole, management "gets" security. After all, it is of course their core business. Security is 'what banks do'.
Aside from generally-accepted good security practices and standards, plus industry norms shared informally through industry forums and employee migration, they experience and learn from information security and fraud incidents, in much the same way as they learnt the need for strong bank vaults from traditional stocking-masked bank heists. For example, banks know that cheap low-resolution CCTV systems give woefully inadequate images, whereas good quality stills, or even better clear color video shots from multiple angles, substantially improves the probability of someone recognizing bank robbers caught in the act. So too do they appreciate that strong forensic evidence concerning network hacks makes it much more likely to pin the attacks on the perpetrators. I won't go into details about the controls but suffice to say that practice is good.
In Europe and Australasia, in my experience, the banking regulations are primarily concerned with corporate governance, accounting practices and systemic risk - areas in which banks' commercial interests might conceivably conflict with the wider interest of customers, tax authorities, shareholders and society. There are of course laws and regulations about privacy, but compliance is relatively insignificant for banks given the pervasive security culture. The laws and regulations mandate privacy 101 for the witless and clueless, while on the whole banks are in a completely different class*.
So is there something materially different about financial services in the States that for some reason requires rather minimal security standards to be imposed on the industry by a government regulator? Without the regulations, would US banks not be concerned about protecting their customers' assets? Unless spoon-fed the appropriate security advice, I wonder whether they would casually leave the vault doors open?
That the FFIEC guidance even exists perhaps implies that (some) US financial institutions are incompetent, negligent and/or irresponsible regarding information security. Following hot on the heels of the 'sub prime' fiasco, there does seem to be something of a mental block there concerning risk and control. Please tell me I'm wrong ...
* That's not to say that banks always get it right - like for instance the local branch that insisted on repeatedly FAXing confidential customer paperwork to my office phone, until I was annoyed enough to forward the call to our office FAX and discovered the culprit. It was a simple case of digital dyslexia - a wrong number stored in the FAX machine's memory. The branch was of course embarrassed to discover the breach and the annoying calls stopped immediately. Lesson over. Move along. No need for an industry regulation.