As we reported earlier, the FDIC’s latest Supervisory Insights Journal contained an article of "critical interest" about mobile banking and strategies for mitigating risks. The article first gives an overview of certain security risks associated with the three delivery channels used for providing mobile banking services (text/SMS, web-based, and mobile app). The article goes on to discuss a number of other risks and vulnerabilities associated with the offering of mobile banking services, and makes a number of important points.
Entries in Information Security (11)
The Federal District Court for the District of Maine’s August 3, 2011 decision to adopt U.S. Magistrate Judge John H. Rich III’s recommendation to grant summary judgment in Patco Construction Co., Inc. v. People’s United Bank, a case widely followed in the banking industry, was an important victory for the Bank. It should be noted that the plaintiff, Patco Construction, has appealed the District Court’s decision to the U.S. Court of Appeals for the First Circuit (case no. 11-2031). Although the decision should be read in its entirety, here are a few important take-aways from the Magistrate Judge’s analysis.
Although the decision by the Federal District Court for the District of Maine to grant summary judgment in favor of People’s United Bank in the recent Patco Construction case has received much attention, another interesting decision by the Court was the dismissal of the Bank’s counterclaim for indemnification under its ACH and eBanking agreements.
First Circuit Rules that Merchant is Potentially Liable for Damages Arising out of a Credit Card Security Breach
The United States Court of Appeals for the First Circuit recently ruled that a merchant may be liable for reasonable mitigation costs suffered by victims of a data breach. In Anderson v. Hannaford Brothers Co., the First Circuit held that victims of a widely-publicized theft of card numbers from the Hannaford Brothers chain could, under Maine law, make cognizable claims for reasonable costs of mitigation related to the theft, e.g., card replacement fees and credit insurance.
On June 29, 2011, the FFIEC issued new guidance on internet banking security: A Supplement to Authentication in an Internet Banking Environment (the “2011 Supplement”). The 2011 Supplement updates the FFIEC’s prior October 2005 guidance on internet-based banking (the “2005 Guidance”). In the 2005 Guidance, the FFIEC provided a risk-based framework for financial institutions to use in establishing authentication methods for customers conducting online transactions. The 2005 Guidance established minimum expectations for effective authentication controls for consumer and commercial accounts, with heightened expectations for high-risk transactions involving access to customer information or the movement of funds. The 2005 Guidance also established an expectation that financial institutions engage in additional security-related practices (for example, customer education) and perform periodic risk assessments to evaluate the effectiveness and appropriateness of authentication controls. The 2005 Guidance also discussed the use of single-factor, tiered, and layered authentication techniques, and recommended the use of multi-factor authentication measures for certain types of high-risk transactions.
The popularity of online banking and the ever-increasing risks associated with the online environment prompted the FFIEC to issue the 2011 Supplement to update its expectations in this area. The FFIEC sets forth specific expectations for authentication measures, including the following: (i) periodic (at least annual) risk assessments, and adjustments to controls based on those assessments; and (ii) layered security measures for consumer and commercial transactions with consideration of the relative level of risk. At a minimum, layered security programs are expected to include processes for (a) detecting and responding to suspicious activity at initial login and access, and in the initiation of transactions involving transfers of funds to third parties, and (b) the use of enhanced administrative controls for administrators who set up or change access privileges and system configurations.
The FFIEC continues to recommend the use of multi-factor authentication for commercial online banking (described in more detail in the 2005 Guidance). The focus of the 2011 Supplement, however, is on the use of an effective layered security program. A layered security program will include a network of authentication measures, including traditional tools (such as passwords and challenge questions), out-of-band verification measures, dual-customer authorization and administrative controls, transactional limits, and other fraud detection/monitoring controls. The 2011 Supplement goes on to discuss a number of simple authentication methods and their relative effectiveness in today’s internet environment. Essentially, the FFIEC states that simple device authentication (i.e., “cookies”) and challenge questions are of limited effectiveness in today’s online environment, unless used in a sophisticated manner and as part of a more sophisticated authentication system. The 2011 Supplement goes on to discuss the availability and use of newer, more robust controls.
Also key to the 2011 Guidance are minimum expectations with regard to customer awareness and education programs. Financial institutions are expected to explain to customers their protections available under Regulation E (or lack thereof); when the financial institution may contact the customer seeking online banking credentials; with respect to commercial customers, the use by customers of internal risk assessments; the use of customer controls to mitigate risk; and appropriate methods for customers to notify a financial institution in the event of suspicious account activity or security-related events. To this end, financial institutions should consider how their customer agreements and other documentation are used to evidence compliance with these requirements.
Overall, the 2011 Guidance is an important update to the FFIEC’s prior guidance in the areas of information security and online banking, and should be integrated into a financial institution’s programs for online banking services. The 2011 Guidance may be found at the following link: http://www.ffiec.gov/pdf/Auth-ITS-Final%206-22-11%20(FFIEC%20Formated).pdf