The Federal Financial Institutions Examination Council (FFIEC), noting that security threats continue to mount, has supplemented its 2005 guidance on authenticating the identity of customers who access their financial accounts online. The supplement addresses minimum authentication requirements, specific authentication techniques, and recommended review timelines, customer education, and internal policies and procedures.
The FFIEC continues to endorse multilayer and multifactor authentication methods for ensuring that the person accessing accounts online is the customer. However, the supplement, issued June 28, 2011, further recommends a review of authentication methods at least every 12 months and in conjunction with the introduction of new online functionality. The review should include a careful review of limitations on transaction volumes and dollar amounts the financial institution imposes on online transactions.
The FFIEC reiterates that online business transactions are at particular risk, recommending that the customer authentication program should consist not only of multiple layers in these cases but also multiple factors.
A “layered security program,” as defined by FFIEC, uses “different controls at different points in a transaction process so that a weakness in one control is generally compensated for by the strength of a different control.” At minimum, the program should include two elements:
- Processes that detect and respond to suspicious activity at the two riskiest points of online banking—when a customer initiates the online banking relationship and when the customer transfers money electronically to third parties. Such requests should be reviewed, manually or automatically, to determine whether they fit a customer’s pattern of behavior.
- Enhanced controls for financial institutions over system administrators who manage online access to and configuration of business accounts. Administrators should be required to use one-time passwords for changes to access or account configuration, or the change should be delayed until the administrator or another trusted employee verifies the request by clicking a link in a transaction verification e-mail notice.
The FFIEC supplement sizes up authentication techniques currently in use and provides some commentary:
- A customer’s device may be identified by placing a simple cookie on the computer that the customer first uses to access his or her accounts. Each time the customer returns to the site, the financial institution can read that simple cookie and validate that the customer has completely authenticated previously. The FFIEC states that such a cookie is easily copied, and recommends that additional, more complex authentication techniques be used to ensure accurate device identification, such as the financial institution capturing information about the customer’s PC configuration, IP address, and geo-location.
- A series of challenge questions are presented to a customer to answer before he or she is able to proceed to online accounts. The FFIEC states that these questions should not be pegged to information generally available through social media sites and the Internet, e.g., birth dates or places of birth. Instead, multiple questions should be presented and/or a question designed to trick the fraudster but which the legitimate customer will recognize as “nonsensical.” There should be enough questions so that multiple questions can be presented in a session without all questions being presented at once.
- The customer is asked to approve a transaction or request using a different channel than used for the initial request, “out-of-band authentication.” For example, if the customer schedules a transfer of funds to a third party online, the transfer will be delayed until the customer confirms the transfer by texting a security code. The FFIEC generally favors out-of-band authentication for higher-risk transactions and customers. For business customers, the FFIEC suggests that the verification be provided by someone other than the transaction initiator and be combined with other administrative controls.
The FFIEC recommends that financial institutions have policies and practices for addressing potentially compromised customer devices and customers who may be facilitating fraud. Further, it sees consumer education programs as critical and recommends including, at minimum, the following:
- An explanation of the security protections offered customers in electronic fund transfers under Regulation E
- An explanation of whether and how the financial institution may contact customers unsolicited and request online banking credentials
- A suggestion that online commercial customers periodically perform a risk assessment and evaluation of controls over their online access to accounts
- A list of alternative risk-control mechanisms that customers may implement to better manage their risks
- A list of contacts for customers who notice suspicious account activity or experience security-related events