“Cyber crime complaints have risen substantially each year since 2005, particularly with respect to commercial accounts. Fraudsters are responsible for losses of hundreds of millions of dollars resulting from online account takeovers and unauthorized funds transfers.”
On June 28, 2011, the FFIEC finally released to the public its “Supplement to Authentication in an Internet Banking Environment.” This release supplements its original online banking guidance titled, “Authentication in an Internet Banks Environment,” dated October 12, 2005. This Supplement establishes the new supervisory expectations that examiners will follow in their assessments of financial institutions after January of 2012.
The Supplement addresses 5 categories of assessment:
Risk Assessment. While originally advanced in the 2005 Guidance, this Supplement reinforces the importance of a financial institution’s risk assessment of any electronic channel, with new specific guidance that institutions expected to update their risk assessments “at least every twelve months” as prior to implementing new electronic timecard services. It is possible that this will be viewed by the courts in future lawsuits as a new “objective” criteria imposed upon bank litigants, and that other unhappy customers may challenge whether a “new electronic financial service” was in fact implemented thus triggering this supposed requirement.
Authentication. The supplement does not change the definition of high risk transactions imposed in the original Guidance, but does require demonstrated flexibility depending upon whether the online customer is a consumer or a business. For businesses, financial institutions must have enhanced “layered security” and multifactor authentication. Importantly the Supplement continues in place, with no material variance or guidance, the original Guidance’s requirement for multifactor authentication. Thus common litigation issues surrounding the UCC’s 4A-202 requirement for a commercially reasonable method of online authentication will not be materially impacted by the Supplement, but that now one may expect greater judicial scrutiny of the bank’s layer security protocol on top of the expected multifactor inquiry whenever this issue is raised in a lawsuit.
Layered Security. The Supplement expands this concept as a core security feature. Essentially, this means a demonstrated approach that uses different controls at different points in the transaction process. “A one dimensional customer authentication program is simply not robust enough to provide the level of security that customers expect and that protects institutions from financial and reputational risk.” The Supplement states that the FFIEC Agencies “expect” (will courts read this as, “requires”?) layer security to contain at least two elements from the Supplement’s list of nine favored controls. This portion of the Supplement warrants close review as the options presented should be evaluated against the bank’s current practices and that menu may permit banks to better evaluate their core processor’s product offerings.
Detection/Response. Financial institutions will be assessed on their plans to detect anomalies in their customer’s online activity and their response plans. Particular attention will be paid to log-in and authentication anomalies and those involving fund transfers to third parties.
Control Administrator. The Supplement’s last recommendation is that enhanced controls be imposed upon its commercial customer’s administrator.
The supplement also includes the FFIEC’s analysis of three common authentication techniques. Device identification procedures will no longer be acceptable if categorized as “simple,” i.e., a cookie loaded into the customer’s device. Challenge questions were also analyzed with the recommendation that multiple, out-of-wallet questions are now preferred, as opposed to those which are simple or easily discovered via a user’s online information. Finally, the FFIEC stresses that institutions must address what many consider to be the Holy Grail of security compliance, customer awareness and education.
As the Supplement makes clear, cyber threats are complex and are evolving. A team approach is what may be required. Thus, advice and specific guidance is offered in the Supplement as what is required in a financial institution’s customer education plan.