Today, I saw a press release from Green Armor hyping that Six Credit Unions Choose Green Armor Solutions' Identity Cues Two Factor for FFIEC and NCUA Compliant Two-Factor & Two-Way (Mutual) Authentication. Do I even need to say why this irritates me?
You probably already know that it infuriates me when vendors use FFIEC guidance to try to sell product. Green Armor is in that camp - they set the tone in the title ("Two Factor... for FFIEC... Compliant... Authentication") and progress from there:
Identity Cues Two Factor will allow the credit unions to improve authentication for online banking and to meet new FFIEC and NCUA guidelines without sacrificing user friendliness, and without having to endure a complicated and costly enrollment process... they provide strong two-factor authentication (exceeding FFIEC guidelines) as well as effective two-way (mutual) authentication that protects against phishing, pharming, and online fraud...
Clearly, in order for something to be "compliant", the implication is that there is a regulatory mandate to which they are responding. In this case, Green Armor is implying that there is a mandate from the FFIEC 2005 that two-factor be used; more specifically, the claim is that the 2005 Authentication Guidance requires that FS institutions implement two-factor authentication and that Green Armor helps companies fulfill their required, mandatory, activities. Far be it for me to point out that documents entitled "guidance" are rarely prescriptive. But, let's take a look at the document anyway, shall we:
"Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks."
Look at that phrasing: "where indicated...", "or other controls." Decisive. Powerful. Prescriptive. What's that - not decisive or powerful at all? Maybe not. Let's compare that language with something that is a clear mandate; something that FS is unambiguous about. How about SEC Rule 33-8590 governing Edgar filings and reporting:
We are requiring that certain open-end management investment companies and insurance company separate accounts identify in their EDGAR submissions information relating to their series and classes (or contracts, in the case of separate accounts). In addition, we are adding two investment company filings to the list of those that must be filed electronically and making several minor and technical amendments to our rules governing the electronic submission of filings through EDGAR.
Now that seems more prescriptive to me: "We are requiring..." compared to "where indicated", and "that must be filed" compared to "should implement multifactor ... or other controls"
For humor value, substitute the same clausal structure into this Rule as is used in the 2005 Authentication Guidance. The rule now reads like this: "When necessary, investment companies should separate accounts identified in their EDGAR submissions information relating to their series and classes or identify separate accounts through other mechanisms." That's the same thing, right?
Posted by Ed at March 15, 2006 08:09 AM