On June 29, 2011, the FFIEC issued new guidance on internet banking security: A Supplement to Authentication in an Internet Banking Environment (the “2011 Supplement”). The 2011 Supplement updates the FFIEC’s prior October 2005 guidance on internet-based banking (the “2005 Guidance”). In the 2005 Guidance, the FFIEC provided a risk-based framework for financial institutions to use in establishing authentication methods for customers conducting online transactions. The 2005 Guidance established minimum expectations for effective authentication controls for consumer and commercial accounts, with heightened expectations for high-risk transactions involving access to customer information or the movement of funds. The 2005 Guidance also established an expectation that financial institutions engage in additional security-related practices (for example, customer education) and perform periodic risk assessments to evaluate the effectiveness and appropriateness of authentication controls. The 2005 Guidance also discussed the use of single-factor, tiered, and layered authentication techniques, and recommended the use of multi-factor authentication measures for certain types of high-risk transactions.
The popularity of online banking and the ever-increasing risks associated with the online environment prompted the FFIEC to issue the 2011 Supplement to update its expectations in this area. The FFIEC sets forth specific expectations for authentication measures, including the following: (i) periodic (at least annual) risk assessments, and adjustments to controls based on those assessments; and (ii) layered security measures for consumer and commercial transactions with consideration of the relative level of risk. At a minimum, layered security programs are expected to include processes for (a) detecting and responding to suspicious activity at initial login and access, and in the initiation of transactions involving transfers of funds to third parties, and (b) the use of enhanced administrative controls for administrators who set up or change access privileges and system configurations.
The FFIEC continues to recommend the use of multi-factor authentication for commercial online banking (described in more detail in the 2005 Guidance). The focus of the 2011 Supplement, however, is on the use of an effective layered security program. A layered security program will include a network of authentication measures, including traditional tools (such as passwords and challenge questions), out-of-band verification measures, dual-customer authorization and administrative controls, transactional limits, and other fraud detection/monitoring controls. The 2011 Supplement goes on to discuss a number of simple authentication methods and their relative effectiveness in today’s internet environment. Essentially, the FFIEC states that simple device authentication (i.e., “cookies”) and challenge questions are of limited effectiveness in today’s online environment, unless used in a sophisticated manner and as part of a more sophisticated authentication system. The 2011 Supplement goes on to discuss the availability and use of newer, more robust controls.
Also key to the 2011 Guidance are minimum expectations with regard to customer awareness and education programs. Financial institutions are expected to explain to customers their protections available under Regulation E (or lack thereof); when the financial institution may contact the customer seeking online banking credentials; with respect to commercial customers, the use by customers of internal risk assessments; the use of customer controls to mitigate risk; and appropriate methods for customers to notify a financial institution in the event of suspicious account activity or security-related events. To this end, financial institutions should consider how their customer agreements and other documentation are used to evidence compliance with these requirements.
Overall, the 2011 Guidance is an important update to the FFIEC’s prior guidance in the areas of information security and online banking, and should be integrated into a financial institution’s programs for online banking services. The 2011 Guidance may be found at the following link: http://www.ffiec.gov/pdf/Auth-ITS-Final%206-22-11%20(FFIEC%20Formated).pdf