On June 28 of 2011, the FFIEC published a Press Release titled "Supplement to Authentication in an Internet Banking Environment." In the introduction of the supplement, they stated the FFIEC member agencies "have directed examiners to formally assess financial institutions under the enhanced expectations outlined in the supplement beginning in January 2012." The question is, is your financial institution in compliance with the new guidance? In this article, we will review the basic principles outlined in the guidance.
Purpose and Background:
The purpose of the Supplement is to reinforce the 2005 Guidance on Internet Banking and to update the Agencies' expectations regarding customer authentication, layered security, and other controls in light of the increasingly expanded and hostile threat landscape. As services continue to expand and technology changes, new types and complaints continue to substantially rise each year since the 2005 guidance, particularly with respect to commercial accounts. In general, the Agencies state they are concerned that prior authentication methods and controls may not be adequate for the enhanced threat landscape today.
Specific Supervisory Expectations:
Risk Assessments: The Agencies reiterate and stress the importance of periodic risk assessments. Specifically, they expect the risk assessment process to be conducted or updated based on new pertinent information becoming available, prior to implementing new electronic financial services, or at least every twelve months. At a minimum, the risk assessment should include:
- Changes in the internal and external threat environment
- Changes in the customer base adopting electronic banking
- Changes in the customer functionality offered through electronic banking
- Actual incidents of security breaches, identity theft, or fraud experienced by the institution or industry
Customer Authentication for High-Risk Transactions: The Agencies maintain the definition of "high-risk transactions" as "electronic transactions involving access to customer information or the movement of funds to other parties." However, they state that financial institutions should implement more robust controls as the risk level of transactions increase. They go on to identify two types of banking customers: Retail/Consumer and Business/Commercial. In their descriptions, they state Business/Commercial generally are higher risk and recommend multifactor authentication for these customer types.
Layered Security Program: The Agencies also stresses the importance of layered security programs, or using different controls at different points in the transaction process. If one control fails, there would be other controls to prevent a fraudulent transaction from occurring. Layered security is beneficial in all areas of security (physical, logical, etc.), and Internet banking is no different. This can be achieved through authentication techniques, fraud detection software, out-of-band verification for transactions, etc. The guidance does mention the Agencies expect to see, at a minimum, processes to detect and respond to suspicious activity and enhanced controls for privileged administrative users (e.g. requiring additional verification if a user requests an access application change).
Effectiveness of Certain Authentication Techniques: The Agencies addresses the effectiveness of two common Internet banking controls: device identification (cookies) and challenge questions. For both controls, simple implementations are deemed ineffective as a primary control. Simple device identification typically loads a cookie onto a customer's PC. Once the customer attempts to log in from another PC, they are prompted with challenge questions to verify their identity. This cookie, however, can be copied. A more sophisticated form of this control uses a more complex combination of characteristics like PC configuration, IP address, etc. Simple challenge questions often contain information easily retrievable by doing an Internet search, so more sophisticated questions are suggested in the supplement.
Customer Awareness and Education: Financial institutions are responsible for educating both retail and commercial account holders to help raise awareness of the risks and mitigating controls of Internet banking threats. These include letting customers know the means the institution may use to contact them regarding their account, control mechanisms the customer may want to implement (e.g. antivirus software), an explanation of Reg E protections to account holders, and a list of institutional contacts for customers to notify if suspicious account activity is suspected.