Internet Banking Security Guidance

FFIEC backs layered security programs, detecting transaction anomalies.

The Federal Financial Institutions Examinations Council on Tuesday issued a supplement to its Internet banking authentication recommendations.

The new document updates guidance issued in 2005. The FFIEC doesn’t recommend any specific software solutions in the report but said it has instructed its member agencies, including the NCUA, to formally assess financial institutions based on the new guidance beginning in January 2012.

“The continued growth of electronic banking and greater sophistication of the associated threats have increased risks for financial institutions and their customers. Customers and financial institutions have experienced substantial losses from online account takeovers,” the FFIEC document said.

“Effective security is essential for financial institutions to safeguard customer information, reduce fraud stemming from the theft of sensitive customer information, and promote the legal enforceability of financial institutions' electronic agreements and transactions,” it said.

The 12-page report notes that not all transactions in the growing online channel involve the same measure of risk and recommends financial institutions increase the strength of their controls as the risk increases.

“I just finished reviewing the FFIEC guidance issued today. It looks like good progress compared to the open-ended nature of the 2005 recommendations. Most big banks are already doing the tasks laid out,” said Steven Kietz of Woodbury Advisors in New York, a former executive with JP Morgan Chase, Citigroup and Mobile Money Ventures.

“I would like to see more specific requirements to prevent fraud, like tokens and using text messaging to issue one-time passwords,” Kietz added.

The report does provide some detail of FFIEC’s expectations, including layered security programs that involve fraud detection and monitoring systems, dual customer authorization through different access devices, out-of-band verification for transactions, and debit blocks and other techniques to screen or limit the amount of transactions.

Detection of transaction anomalies also was heavily stressed and included in the measures the FFIEC said it expected financial institutions to use “at a minimum.”

“Based upon the incidents the agencies have reviewed, manual or automated transaction monitoring or anomaly detection and response could have prevented many of the frauds since the ACH/wire transfers being originated by the fraudsters were anomalous when compared with the customer’s established patterns of behavior,” the new guidance said.

And while also adding the need for financial education as a tool, and the constantly updated use of anti-malware software, the FFIEC said it realized that no defenses have proved totally secure.

“It is important to note, that none of the controls discussed provide absolute assurance in preventing or detecting a successful attack,” the council’s report said.

The FFIEC makes policy recommendations to attempt to achieve greater uniformity in regulatory policies. It is made up of representatives from five federal regulatory agencies and one representative of state regulators.

Debbie Matz chairs the FFIEC, the first National Credit Union Administration chairman in that post. The agencies represented are the NCUA, the Federal Deposit Insurance Corp., the Office of the Comptroller of the Currency, the Office of Thrift Supervision and the State Liaison Committee.

 

Comments