The Federal Financial Institutions Examinations Council on Tuesday issued a supplement to its Internet banking authentication recommendations.
The new document updates guidance issued in 2005. The FFIEC doesn't recommend any specific software solutions in the report but said it has instructed its member agencies, including the NCUA, to formally assess financial institutions based on the new guidance beginning in January 2012.
“The continued growth of electronic banking and greater sophistication of the associated threats have increased risks for financial institutions and their customers. Customers and financial institutions have experienced substantial losses from online account takeovers,” the FFIEC document said.
“Effective security is essential for financial institutions to safeguard customer information, reduce fraud stemming from the theft of sensitive customer information, and promote the legal enforceability of financial institutions' electronic agreements and transactions,” it said.
The 12-page report notes that not all transactions in the growing online channel involve the same measure of risk and recommends financial institutions increase the strength of their controls as the risk increases.
“I just finished reviewing the FFIEC guidance issued today. It looks like good progress compared to the open-ended nature of the 2005 recommendations. Most big banks are already doing the tasks laid out,” said Steven Kietz of Woodbury Advisors in New York, a former executive with JP Morgan Chase, Citigroup and Mobile Money Ventures.
“I would like to see more specific requirements to prevent fraud, like tokens and using text messaging to issue one-time passwords,” Kietz added.
The report does provide some detail of FFIEC's expectations, including layered security programs that involve fraud detection and monitoring systems, dual customer authorization through different access devices, out-of-band verification for transactions, and debit blocks and other techniques to screen or limit the amount of transactions.
Detection of transaction anomalies also was heavily stressed and included in the measures the FFIEC said it expected financial institutions to use “at a minimum.”
“Based upon the incidents the agencies have reviewed, manual or automated transaction monitoring or anomaly detection and response could have prevented many of the frauds since the ACH/wire transfers being originated by the fraudsters were anomalous when compared with the customer's established patterns of behavior,” the new guidance said.
And while also adding the need for financial education as a tool, and the constantly updated use of anti-malware software, the FFIEC said it realized that no defenses have proved totally secure.
“It is important to note, that none of the controls discussed provide absolute assurance in preventing or detecting a successful attack,” the council's report said.
The FFIEC makes policy recommendations to attempt to achieve greater uniformity in regulatory policies. It is made up of representatives from five federal regulatory agencies and one representative of state regulators.
Debbie Matz chairs the FFIEC, the first National Credit Union Administration chairman in that post. The agencies represented are the NCUA, the Federal Deposit Insurance Corp., the Office of the Comptroller of the Currency, the Office of Thrift Supervision and the State Liaison Committee.
Complete your profile to continue reading and get FREE access to Treasury & Risk, part of your ALM digital membership.
Your access to unlimited Treasury & Risk content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Thought leadership on regulatory changes, economic trends, corporate success stories, and tactical solutions for treasurers, CFOs, risk managers, controllers, and other finance professionals
- Informative weekly newsletter featuring news, analysis, real-world case studies, and other critical content
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical coverage of the employee benefits and financial advisory markets on our other ALM sites, PropertyCasualty360 and ThinkAdvisor
Already have an account? Sign In Now
*May exclude premium content© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.