About Us | Contact Us
View Cart

Interim Framework for Auditing Progress on Supplement

By Dan Hadaway | Wednesday, September 21, 2011 - Leave a Comment

An Interim Audit Framework for the Supplement to the 2005 Authentication Guidance

Since I find myself sending this in e-mails to several of our Clients, I thought it would make a good Dan’s New Leaf post:

The problem:  Between now and your next examination, depending on when that is, you “should be” working on ensuring your bank complies with the Supplement that was released on June 28th 2011 to clarify the Authentication Guidance that was released in October 2005.  But what are you supposed to be doing?  The guidance itself establishes January as the date that “examiners will start guiding banks towards compliance.”

So what actually needs to be done between now and then?

The following is an audit framework that I will be using for banks I audit between now and March of 2012.  It may change as I learn more about the FFIEC’s expectations, especially at the upcoming IT Security Conference on October 12th and 13th.  There will be at least one talk dedicated to the subject, and we’ll also have that examiner panel!!

But, if you have ME coming in to audit you between now and March of 2012, I believe if you see this seven-point plan as the goal post, and have a good explanation as to where you are against this goal post, and you are closer to the 20 yard line than the 50 yard line, you will be in good shape.


Seven Point Plan for Compliance with the Supplement to the 2005 Authentication Guidance:

  1. Branchless Banking (or Electronic Banking Policy1): Have you updated your Policy to establish that the bank needs to a) Inventory all Branchless Banking Assets conduct a risk assessment to identify assets (including payment processes, delivery systems, and authentication assets) which require more scrutiny from a risk management perspective?
  2. Asset Prioritization Risk Assessment: Do you have a high-level (system-level) risk assessment on your Branchless Banking Assets to help you prioritize which assets require more scrutiny?  Have you conducted a risk assessment on the primary systems you call “electronic banking” to determine which ones require more scrutiny?
  3. Inventory of your branchless banking assets: Have you inventoried all assets which store bank information outside of the bank?  This would include an inventory of transactions as well as payment processes as well as system.  In other words, you might have Internet Banking on your inventory, but also Billpay and Set Up New Payee.  All three are different assets, even though one is a subset of another which is a subset of another.  The level of detail in your inventory depends upon the results of your Asset Prioritization Risk Assessment (see point 2 above.)
  4. Documentation of Authentication Methods: In that inventory, are you documenting for each asset the type of authentication method being used?  By the way, if the answer for ANY asset is “that depends,” then your asset inventory is not detailed enough.  In other words, if you say “the type of authentication we use for Billpay depends on whether you are setting up a new payee or whether you are just authorizing a payment” then you actually have three assets:  Billpay, Setting up New Payee, Authorizing Payments.  You want your inventory to be that detailed.
  5. Drill-down Risk Assessments: Have you started detailed (drill-down) risk assessments on assets identified in the high-level assessment as high priority?  As an auditor, I will be asking how that’s going and offering suggestions as to how to make sure it is complete and in compliance with the supplement.
  6. Vendor Management: Have you contacted your vendors and service providers?  Compliance?  Projected Timeline?  Good faith effort to be ongoing?  Regular communication on progress.  Do you understand how your Vendor intends to come into compliance with various parts of the supplement?
  7. Customer Awareness Training Strategy: Have you created a strategy, or at least met with your marketing team and/or the appropriate persons in the bank, for how you are going to meet the Customer Awareness and Education requirements of the Supplement.

I hope this “audit framework” provides a little direction for you.  I’d be happy to answer any questions you may have, especially if you’re a Client!

We’ll get through this together!!

Footnote #1:  To understand why I’m using the term “Branchless Banking Assets” instead of “Electronic Banking Assets,” check out this article.)


Founder and President, Infotex


“Dan’s New Leaf” is a “fun blog to inspire thought in the area of IT Governance.”


Latest News
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around your office. Interested in one of ours […]
    Millions of phishing emails will get through automated defenses this year, are your employees ready? An article review. With cybersecurity threats such as cryptocurrency miners and ransomware seeming to dominate the news, it can be easy to forget about older threats such as phishing…but a recent report from cybersecurity firm Tessian reminds us that criminals […]
    The FFIEC’s latest guidance: The Architecture, Infrastructure, and Operations, has brought many changes to exactly how a small financial institution may look at their Technology Planning for 2022. Included in that will be the opportunity to write your first Architecture Plan and we intend to show you what may be involved in that! Have any […]
    While we’re not a news service, we often use current events to comment on trends and our services. This blog is intended to get people thinking about topics and trends in Technology Risk Management, through our article reviews, as well as through original blog articles about current events and our MSSP services (such as our […]
    Following the contribution, Have I Been Pwned will host more than 800 million compromised credentials… An article review. Have any of your login credentials been revealed in a breach?  If you’re unsure about that, Have I Been Pwned (HIBP) can help you out by letting you check against over 600 million compromised credentials…and with the […]
    infotex and Log4j We are keeping our Clients’ safety in mind. To all infotex managed security service Clients: On Friday December 10th, infotex became aware of a zero-day vulnerability in the Apache Log4j library that allows unauthenticated remote code execution. We began incident response and took steps to proactively disable potentially vulnerable applications until we […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around your office. Interested in one of ours […]
    Trending: Awareness Posters went “Back to Basics” Here are the top seven posters as of the last twelve months! As always, our Awareness Posters were a hit in 2021! So we decided to run some reports to see what our most popular posters were since November 2020. As everybody loves top ten lists and contests, […]
    Dan is joined by a Panel to discuss the FFIEC’s New AIO Guidance and how it may impact Technology Planning in the future.