Regulatory Agencies Renew Commitment to Internet Security
By: BEAU J. HURTIG
December 2011
Prudent bankers typically attempt to anticipate matters that are likely to receive the greatest scrutiny from bank regulators during an examination. Anticipating particular areas of examiner focus permits bankers to evaluate these areas beforehand and, if necessary, implement enhancements. Over the past three years, bank examiners often placed heightened emphasis on matters such as capital levels, asset quality and liquidity; however, recent experiences indicate that new areas of emphasis may be on the horizon.
One such area in which financial institutions should be ready for increased scrutiny is internet security. Based on the Federal Financial Institutions Examination Council’s (FFIEC) recent release of its “Supplement to Authentication in an Internet Banking Environment” (Supplementary Guidance) and the rise in internet related financial fraud, we believe that the security of internet banking products may be one emerging point of emphasis in examinations.
Background
As you may recall, the FFIEC initially issued enhanced security techniques with respect to internet banking in 2005. On June 28, 2011, the FFIEC renewed its commitment to internet banking security by issuing the Supplementary Guidance. The FFIEC summarized its reasoning for updating the 2005 guidance by stating, “The agencies are concerned that customer authentication methods and controls implemented in conformance with [the initial 2005 guidance] several years ago have become less effective.”
The Supplementary Guidance confirms the recommendations to banks offering internet products that were outlined in the original guidance. These recommendations include employing layered controls and multifactor authentication with respect to certain high risk transactions, as well as conducting periodic risk assessments. As a reminder, high risk transactions are “transactions involving access to customer information or the movement of funds to other parties.” Layered security “is characterized by the use of different controls at different points in a transaction process so that a weakness in one control is generally compensated for by the strength of a different control” such as fraud monitoring systems, dual authentication, out-of-band verification, and positive pay.
In addition to reaffirming the benefits of these previous recommendations, the Supplementary Guidance provides additional commentary regarding the effectiveness of certain security measures and minimum expected internet security program elements based on the FFIEC’s experience with fraudulent activity since the issuance of the initial 2005 guidance.
Risk Assessment
The Supplementary Guidelines reaffirm the importance of periodic risk assessments, stating that “financial institutions should perform periodic risk assessments and adjust their customers’ authentication controls as appropriate in response to new threats to customers’ online accounts.” These risk assessments should be performed at least every twelve months.
The risk assessment should consider relevant factors, such as those related to (i) the external threat environment, (ii) the customer base utilizing the institution’s internet banking products, (iii) product functionality, and (iv) the institution’s actual experiences with fraudulent or other malicious behavior. Financial institutions also may benefit from maintaining records regarding the risk assessment, its findings, and resulting enhancements the institution implemented so that examiners may readily see the steps the institution has taken to maintain security.
Authentication for High Risk Transactions
The Supplementary Guidelines require layered security for high risk transactions initiated by both consumer and business customers. Importantly, the FFIEC also makes an important distinction between internet transactions initiated by consumers and those initiated by businesses. Specifically, the FFIEC acknowledges that consumer transactions generally pose a relatively lower risk of fraudulent activity due to the lower frequency and smaller size of the transactions. Conversely, the FFIEC recognizes that due to the frequent initiation of larger ACH and wire transfers, business transactions (primarily those initiated by small to medium size institutions) pose a greater risk. Therefore, in addition to layered security, the Supplementary Guidelines recommend multifactor authentication with respect to business transactions.
Significantly, the Supplementary Guidelines indicate that the agencies expect layered security measures to contain certain minimum elements. Such strong language setting forth minimum requirements is rare in interagency guidance, so financial institutions would be wise to implement these requirements.
The first element the agencies expect is a process designed to detect and respond to irregularities relating to initial login and transaction initiation. The agencies also share their experience that manual or automated transaction monitoring or anomaly detection and response “could have prevented many of the frauds since the ACH/wire transfers being originated by the fraudsters were anomalous when compared with the customer’s established patterns of behavior.”
The second element the agencies expect involves enhanced controls for system administrators on business accounts. Such enhanced controls on the program administrator might include an additional authentication routine or transaction verification routine prior to final access or program changes (e.g., calling or faxing your customer to notify them of the proposed change in access or the program).
Questionable Authentication Techniques
The Supplementary Guidelines are also helpful in that they specifically describe certain security processes that the agencies may not view as sufficient. The first is the use of simple device authentication, which involves the loading of a single cookie on a customer’s computer to confirm the computer is related to the party’s initial enrollment, username, and password. The Supplementary Guidelines state that the agencies no longer consider simple device authentication to be sufficient. However, the use of more complex device authentication techniques, including those that consider a combination of factors—such as computer configuration, IP address, geo-location, and other factors—are still sufficient.
The agencies similarly do not consider the use of simple challenge questions in the event that the primary login technique becomes unavailable to be sufficient (e.g., mother’s maiden name, high school, graduation year, etc.). Instead, financial institutions are directed to employ more sophisticated “out of wallet” questions that involve answers not readily available on the internet or other public domain. Further, the Supplementary Guidelines recommend asking multiple questions and including a “red herring” question that the customer will recognize as nonsensical but that may trick a fraudster.
Customer Education Program
Finally, the agencies recognize that customer education may play an important role in mitigating internet related fraud. Therefore, the Supplementary Guidelines recommend educating both consumers and businesses regarding internet security, including the internet banking protections the institution offers (and does not offer), the situations under which the institution may contact the customer with respect to login credentials, if any, suggestions for customer risk assessments, a listing of risk control mechanisms customers may want to employ, and/or bank contacts to whom customers should report suspicious activity.
Takeaway
Bankers may wish to consider reexamining their internet authentication security procedures, as this area is likely to become a point of particular emphasis for examiners in upcoming exams.