Beginning next year, NCUA examiners will expect credit unions to be following a tougher new set of guidelines for securing online banking and money transfers.
NCUA Chairman Debbie Matz made that promise after the Federal Financial Institutions Examinations Council issued new guidance last week that calls for financial institutions to institute new safeguards against the rising tide of fraud.
The FFIEC guidelines were last updated in 2005. A growing series of breaches and hack attacks have since then netted fraudsters around the globe millions of dollars and sparked legal battles over liability between victimized banks and customers.
The new guidelines call for recognitions of layered security measures to deal with escalating levels of risk, improved and expanded authentication mechanisms, financial education and other measures to combat online fraud and identity theft.
Credit unions have not been immune from the onslaught of cybercrime, and they’ll be expected to step up their defenses.
“This guidance reinforces the previous risk management framework. More importantly, the supplement updates supervisory expectations for effective member authentication mechanisms, layered security and other controls to combat growing identity theft attacks and online transaction frauds,” said Matz, who’s also the first NCUA chairman to chair the multiagency FFIEC.
“For federally insured credit unions, they will be expected to adapt appropriate strategies to strengthen and enhance controls by January 2012,” Matz said. “Beginning in 2012, at credit unions offering electronic services, NCUA examiners will evaluate these controls under the enhanced expectations outlined in the supplement.”
The 12-page report, “Supplement to Authentication in an Internet Banking Environment,” notes that not all transactions in the growing online channel involve the same measure of risk and recommends financial institutions increase the strength of their controls as the risk increases.
And while not recommending specific software solutions, the report does provide some detail of FFIEC’s expectations, including layered security programs that involve fraud detection and monitoring systems, dual customer authorization through different access devices, out-of-band verification for transactions, and debit blocks and other techniques to screen or limit the amount of transactions.
Detection of transaction anomalies also was heavily stressed and included in the measures the FFIEC said it expected financial institutions to use “at a minimum.”
“Based upon the incidents the agencies have reviewed, manual or automated transaction monitoring or anomaly detection and response could have prevented many of the frauds since the ACH/wire transfers being originated by the fraudsters were anomalous when compared with the customer’s established patterns of behavior,” the new guidance said.
And while also adding the need for financial education as a tool, and the constantly updated use of antimalware software, the FFIEC said it realized that no defenses have proved totally secure.
“It is important to note, that none of the controls discussed provide absolute assurance in preventing or detecting a successful attack,” the council’s report said.
Industry participants said the new guidance was a beginning toward improving security.
“We think the supplemental guidance is a positive step forward,” said Tiffany Riley, vice president of marketing at Guardian Analytics in Los Altos, Calif. It “sets clear minimum expectations for a layered security program that we agree will help prevent online banking fraud. We've seen how effective behavior-based anomaly detection and transaction monitoring can be."
Steven Kietz of Woodbury Advisors in New York said, “It looks like good progress compared to the open-ended nature of the 2005 recommendations. Most big banks are already doing the tasks laid out.”
The former executive with JPMorgan Chase, Citigroup and Mobile Money Ventures added, “I would like to see more specific requirements to prevent fraud, like tokens and using text messaging to issue one-time passwords.”
The FFIEC makes policy recommendations to attempt to achieve greater regulatory uniformity.