Cyber-attacks against interbank networks and wholesale payment systems occur in the financial technology (FinTech) community and the Federal Financial Institutions Examination Council (FFIEC) has taken action to mitigate the risks. Cyber attackers have exhibited the ability to bypass financial institution information security controls for wholesale payment origination and have effectively obtained and used valid operator credentials to compose, approve and send damaging messages. In addition, cyber attackers have utilized funds transfer operations, hastily transferred stolen funds across jurisdictions to avoid recovery, and controlled and employed malware to disable and delay detection of fraudulent transactions. Such attacks expose the originating financial institution to financial loss and compliance risk (e.g. the PATRIOT Act, Bank Secrecy Act, and OFAC).
As a result of the cyber-attacks, the FFIEC, which includes the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, the Consumer Financial Protection Bureau, and the State Liaison Committee, issued a warning to financial institutions to review fintech risk management practices and controls over information technology and wholesale payment systems networks.
With the FFIEC emphasizing technological risk in its statements, it follows that the financial institution regulators of the FFIEC may focus additional attention on fintech risk in future examinations of financial institutions. The FFIEC, as a guide for financial institutions to mitigate risk, has issued a FFIEC IT Examination Handbook, which includes Information Security, Business Continuity Planning, Outsourcing Technology Services and Wholesale Payment Systems booklets. The handbook serves as a guide by which the FFIEC regulators will assess financial institutions and certain fintech risks. Discussed below are some of the risk mitigation expectations of the FFIEC for financial institutions.
Financial institutions should create an infrastructure that mitigates cyber risk. The FFIEC recommends financial institutions maintain a continuous information security risk assessment program that considers emerging threats in the fintech industry, and assesses and prioritizes risks to susceptible systems. To do so, financial institutions should use multiple layers of security controls. The FFIEC also recommends that financial institutions ensure third party service providers perform effective risk management and control, as well as maintain regular testing of security. This should include a contractual obligation of the third party to provide the financial institution security incident reports in the event of a detrimental security incident.
Protection and detection systems should be up to date, configured properly, and reviewed periodically. The FFIEC recommends a baseline environment be established to enable financial institutions the ability to detect atypical behavior. Systems should be monitored and alert the financial institution of atypical behavior. Financial institutions should perform due diligence, including review of third party services and software, follow industry practice for internally developed applications, penetration testing and vulnerability scans, and review of third party reports generated from monitoring systems. Employees should also having training in security awareness to combat user targeted infiltrations such as phishing attempts.
Protection against unauthorized access should be employed. Financial institutions should limit the number of employees with privileged credentials and the ability to assign elevated privileges. Access rights should be periodically reviewed to ensure the access is commensurate with the respective employee job function. Access rights should expire when unused or unnecessary. Geolocation controls and time of day authentication rules are good practices for multifactor authentication. Other protections include restricting the amount of local administrators, frequent change to default password, prevention of personal computers on business systems, monitoring controls to detect unauthorized devices, and use of secured networks when accessing the business system remotely.
Critical systems should have appropriate controls. Segregation of duties, audit, and fraud monitoring should be heightened based on risk. Examples of extra precautions include limiting sign-on attempts and locking accounts when a user over-attempts access, encrypting sensitive data, safe password recovery practices, regularly testing securities (e.g. firewalls), procedures to destroy sensitive information, internet access filtering, and backing up important data. In addition, the financial institution should have a plan set up with third parties to ensure the financial institution is able to quickly recover payment processing or other integral operations when an unforeseen event occurs.
Financial Institutions should stay apprised of the FFIECs' rules and application of them with respect to fintech risk mitigation. Financial institutions face regulatory, public and private exposure due to technological risk. Because the industry is constantly changing, financial institutions should engage in sharing forums. Examples of forums include the Financial Services Information Sharing and Analysis Center (FS-ISAC) and the U.S. Computer Emergency Readiness Team (US-CERT).