Authentication in an Internet Banking Environment
Written by Patrick Bloomstine
Yesterday, the Federal Financial Institutions Examination Council (FFIEC) released its Supplement to Authentication in an Internet Banking Environment. FFIEC originally issued guidance on this topic back in 2005. The NCUA Letter to Credit Unions can be found here. The purpose of this supplement is to âÂÂreinforce the GuidanceâÂÂs risk management framework and update the Agenciesâ expectations regarding customer authentication, layered security, or other controls in the increasingly hostile online environment.âÂÂ
Generally, the supplement encourages financial institutions to not rely solely one or two controls for authorizing high risk transactions. Instead, it advocates a system of layered security, and it sets more specific expectations in five areas of concern: risk assessments; customer authentication for high-risk transactions; layered security programs; effectiveness of certain authentication techniques; and customer awareness and education.
Layered security uses several different controls at different points in the transaction to prevent fraud. This allows one control to make up for a weakness in another and vice versa (kind of like all the Spartansâ shields fit together to protect each other in 300). The supplement provides a non-exhaustive list of effective controls for layered security including the use of both out-of-band verification, âÂÂpositive payâÂÂ, and debit blocks.
The supplement advises that financial institutions should review their risk assessments on one of three timetables. They should do this: (1) as new information becomes available, (2) before they provide new electronic financial services, or (3) at the very least every twelve months. It also, provides a non-exhaustive list of factors to consider in updated risk assessments, including changes in the customer base now using electronic banking services and changes in the internal and external threat environment.
With increases in the use of electronic banking and the greater sophistication of fraudsters, this is important guidance for credit unions to take in, so pass it along to the person at your credit union in charge of online security.