1 / 18

FFIEC Authentication in an Internet Banking Environment

Internet Banking Authentication. June 2011 references OCC Bulletin 2011-26FDIC FIL-50-2011Supplements October 2005 guidanceOCC Bulletin 2005-35FDIC FIL-103-2005Examiners will begin assessing compliance in January 2012. Internet Banking Authentication. Online fraud has increased since 2005, par

tao
Download Presentation

FFIEC Authentication in an Internet Banking Environment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


    1. FFIEC Authentication in an Internet Banking Environment Supplemental Guidance

    2. Internet Banking Authentication June 2011 references OCC Bulletin 2011-26 FDIC FIL-50-2011 Supplements October 2005 guidance OCC Bulletin 2005-35 FDIC FIL-103-2005 Examiners will begin assessing compliance in January 2012

    3. Internet Banking Authentication Online fraud has increased since 2005, particularly for commercial accounts and automated payment systems such as wire transfers and ACH Supplemental guidance issued to reinforce the risk management framework and update agency expectations for customer authentication, layered security and other controls over internet banking services

    4. Risk Assessment Perform at least annually and update: As new information becomes available Changes in the internal and external threat environment Actual incidents of security breaches, identity theft, or fraud experienced by the institution or industry Prior to implementing new electronic financial services Changes in customer functionality offered through electronic banking Changes in your customer base adopting electronic banking

    5. Adjust Authentication Controls Strengthen and enhance your controls to limit and mitigate risks present for both retail/consumer and business/commercial accounts for “high risk” transactions Electronic transactions involving access to customer information or the movement of funds to other parties Not every online transaction poses the same level of risk Implement more robust controls as the risk level of the transaction increases

    6. Adjust Authentication Controls Consumer customers Generally lower risk than commercial due to less frequency and typically lower dollar amounts Access account information, bill payment, intrabank funds transfers, interbank funds transfers or wire transfers Implement layered security Commercial customers Typically ACH file origination and interbank wire transfers Implement layered security plus agencies recommend offering multifactor authentication

    7. Layered Security Different controls at different points Program MUST have at least the following two elements: (1) Detect and respond to suspicious activity consistent with customer’s history and behavior During initial login and authentication of customers and When initiating funds transfers to other parties

    8. Layered Security (2) Control of administrative functions for system administrators that are granted privileges to set up or change system configurations Should exceed controls for routine business customer users EX: A preventative control could require an additional authentication routine or transaction verification routine (such as a notice or alert) prior to implementation of the access or application changes

    9. Layered Security Tailor controls so they are appropriate for your operations and threat environment Should not rely solely on any single control for authorizing high risk transactions Authentication techniques deemed “ineffective” as primary control Cookies to confirm same PC as used to enroll and that the login/password match Should use complex device identification, not “simple” Challenge questions Should use “out of wallet” questions

    10. Layered Security Authentication techniques to consider: Dual customer authorization through different access devices Tokens based solution Use of “out-of-band” verification for transactions A transaction initiated via one delivery channel must be re-authenticated or verified via an independent delivery channel in order for the transaction to be completed

    11. Layered Security Authentication techniques to consider: Use of “positive pay” programs and/or blacklisting Controls over account activities Transaction value thresholds Daily number of transaction limits Allowable payment windows such as certain days and/or times of day Use of restricted funds transfer recipient lists

    12. Layered Security Authentication techniques to consider: Internet protocol (IP) reputation based tools to block known or suspect IP addresses from accessing banking servers Policies and practices for addressing customer devices identified as potentially compromised and customers who may be facilitating fraud Enhanced control over changes to account maintenance activities performed by customers online or through customer service channels

    13. Customer Education Fraud risk such as: Key logging malware which end-users may have installed on their computers or browsers Records keystrokes entered and transmits the info to the person controlling the malware Suggest anti-malware software Man-in-the-middle websites Fraudster inserts himself between the customer and the financial institution and hijacks the online session Directs customer to a fraudulent website that mirrors the financial institution’s website

    14. Customer Education To increase awareness of fraud risk and discuss effective techniques customers can use to mitigate the risk Should conduct for both retail and commercial customers Methods In person Mail Posting on website Third-party brochures and newsletters

    15. Customer Education Minimum elements: An explanation of protections provided, and not provided, to account holders relative to EFTs under Reg E, and a related explanation of the applicability of Reg E to the types of accounts with Internet access. To clarify to non-consumer account holders that the protections of Regulation E don't apply to them.

    16. Customer Education Minimum elements: An explanation of under what, if any, circumstances and through what means the institution may contact a customer on an unsolicited basis and request he/she provide their electronic banking credentials A suggestion that commercial online banking customers perform a related risk assessment and controls evaluation periodically

    17. Customer Education Minimum elements: A listing of alternative risk control mechanisms that customers may consider implementing to mitigate their own risk, or alternatively, a listing of available resources where such information can be found; and A listing of institutional contacts for customers’ discretionary use in the event they notice suspicious account activity or experience customer information security related events

    18. Other Controls Establish individual transaction and aggregate account exposure limits based on expected account activity Review volume and value limitations or parameters for activities a business customer in the aggregate, and its enrolled users individually, can functionally accomplish when accessing the online system Transaction monitoring/anomaly detection software Monitor and alert on exception events Require business customers to deploy dual control routines over higher risk functions performed online

More Related