The FFIEC’s New Guidance: Some Guideline, Help As Audits Under Way
In June 2011, the Federal Financial Institutions Examination Council issued the “Supplement to Authentication in an Internet Banking Environment.”
The Supplement was intended to reinforce and augment the authentication guidance issued in 2005, which had been developed to address threats to online banking. However, since 2005 hacking techniques have become so sophisticated that hackers easily evade security measures.
The updated guidelines change expectations for Risk Assessments. Layered security is no longer an “optional” method for risk mitigation, specific authentication methods have been removed for primary controls, and companies must implement customer security awareness programs.
The Supplement requires financial institutions to review and update existing risk assessments
- Whenever new information becomes available
- Prior to implementing new electronic financial services
- At least every twelve months.
Layered Security and High Risk Internet-based Transactions
Layered security is now required and is defined as “the use of different controls at different points in a transaction process so that a weakness in one control is generally compensated for by the strength of a different control.” Previously, layered security was undefined and was listed as one of several methods for mitigating risks in electronic banking. The Supplement specifies two controls that must be a part of any financial institution’s layered security program.
Layered security controls should include the ability to detect and effectively respond to suspicious or anomalous activities when customers log on to the electronic banking system and when they initiate electronic transactions involving the transfer of funds to other parties. Layered security should also have enhanced controls for system administrators that set up or change system configurations. These controls must exceed the controls in place for routine business customers.
Methods That Can No Longer Be Used as Primary Controls
Simple device identification is a control that many financial institutions adopted in response to the 2005 guidance. Simple device identification relies on browser cookies that contain PC information and some mechanism for matching the user ID and password used for authentication. So some financial institutions implemented geo-location and IP address-matching as a part of device identification. But neither is a fail- safe method of identification as cookies can be stolen and reused, and fraudsters can use proxies to impersonate legitimate users. That’s why the Supplement requires institutions to replace simple device authentication methods with more complex methods.
Simple challenge questions in their basic form are also no longer acceptable as primary controls for authentication because answers could be found online. But requiring customers to answer multiple questions could be one component to layered security.
New Mandates for Customer Awareness Efforts
The Supplement states that at a minimum the customer awareness and educational efforts for retail and commercial account holders should include:
- “An explanation of protections provided, and not provided, to account holders relative to electronic funds transfers under Regulation E, and a related explanation of the applicability of Regulation E to the types of accounts with Internet access; (Regulation E, issued by the Board of Governors of the Federal Reserve System, protects individual consumers engaging in electronic fund transfers.)
- An explanation of under what, if any, circumstances and through what means the institution may contact a customer on an unsolicited basis and request the customer’s provision of electronic banking credentials;
- A suggestion that commercial online banking customers perform a related risk assessment and controls evaluation periodically;
- A listing of alternative risk control mechanisms that customers may consider implementing to mitigate their own risk, or alternatively, a listing of available resources where such information can be found; and,
- A listing of institutional contacts for customers’ discretionary use in the event they notice suspicious account activity or experience customer information security-related events.”
Banks and credit unions must demonstrate to examiners that that they have done this.
- Ensure your risk assessment meets or exceeds the requirements in the Supplement.
- Ensure your risk management program is updated to require review and revision at least annually and whenever you make changes to your network, computers or applications.
- Revisit the authentication strategies used in your electronic banking programs. Apply the results from the re-focused risk assessment to specify the security requirements your application developers or software vendors will need to comply. Replace “simple” authentication methods with sophisticated methods.
- Implement an updated customer awareness and education plan.
- Look for ways to increase layers of security around servers, applications, and databases. Consider file integrity monitoring, host level intrusion prevention applications and layered antivirus (at the network perimeter as well as on the host).
- Have these items either completed or executing when the auditors arrive.