FFIEC Formally Releases Its Supplemental Guidance Respecting Online Banking

“Cyber crime complaints have risen substantially each year since 2005, particularly with respect to commercial accounts.  Fraudsters are responsible for losses of hundreds of millions of dollars resulting from online account takeovers and unauthorized funds transfers.” 

On June 28, 2011, the FFIEC finally released to the public its “Supplement to Authentication in an Internet Banking Environment.” This release supplements its original online banking guidance titled, “Authentication in an Internet Banking Environment,” dated October 12, 2005.  This Supplement establishes the new supervisory expectations that examiners will follow in their assessments of financial institutions after January of 2012.[1]

The Supplement addresses 5 categories of assessment:

Risk Assessment  

While originally advanced in the 2005 Guidance, this Supplement reinforces the importance of a financial institution’s risk assessment of any electronic channel, with new specific guidance that institutions are expected to update their risk assessments “at least every twelve months” or prior to implementing new electronic services.  It is possible that this objective will be viewed by the courts in future lawsuits as a new “objective” requirements imposed upon bank litigants, and that other unhappy customers may challenge whether a “new electronic financial service” was in fact implemented thus triggering this risk assessment requirement.

Authentication    

The Supplement does not change the definition of high risk transactions used in the original Guidance, but does require demonstrated flexibility depending upon whether the online customer is a consumer or a business.  For businesses, financial institutions must have enhanced “layered security” and multifactor authentication.  Importantly the Supplement continues in place the original Guidance’s requirement for multifactor authentication, although it does critically address the technical suitability of certain “factor” alternatives that are in common practice in the authentication marketplace.  Thus, for the most common UCC 4A-202 commercially reasonable method of online authentication issues, the Supplement does not materially impact the basic analysis, but in future litigation one may expect greater judicial scrutiny of both of the technical character of the bank’s chosen factors and proof that a bank has demonstrating a layered security protocol.

Layered Security

The Supplement expands this concept as a core security feature.  Essentially, this means a demonstrated approach that uses different controls at different points in the transaction process.  “A one dimensional customer authentication program is simply not robust enough to provide the level of security that customers expect and that protects institutions from financial and reputational risk.”  The FFIEC Agencies “expect” (will courts read this as “requires”?) layered security to contain at least two elements from the Supplement’s list of nine favored controls.  This portion of the Supplement warrants close review as the options presented in the Supplement should be evaluated against the bank’s current practices and that menu may permit banks to better evaluate competing core processors’ product offerings.

Detection/Response

Financial institutions will be assessed on their plans to detect anomalies in their customer’s online activity and their response plans.  Particular attention will be paid to log-in and authentication anomalies and those involving fund transfers to third parties.

Control Administrator

The Supplement’s last recommendation is that enhanced controls be imposed by the institution its commercial customer’s administrator.

The supplement also includes the FFIEC’s analysis of three common authentication techniques.  Device identification procedures will no longer be acceptable if categorized as “simple,” i.e., a cookie loaded into the customer’s device.  Challenge questions were also analyzed with the recommendation that multiple, out-of-wallet questions are now preferred, as opposed to those which are simple or easily discovered via a user’s online information.  Finally, the FFIEC stresses that institutions must address what many consider to be the Holy Grail of security compliance, customer awareness and education.     As the Supplement makes clear, cyber threats are complex and are evolving.  A team approach is what may be required.  Thus,  specific guidance is offered in the Supplement as what is required in a financial institution’s customer education plan.

[1] The original Guidance and the new Supplement must be read in context with FFIEC IT Handbook, including its Retail Payment Systems Manual, and the various trade associations’ separate rules, e.g., NACHA Operating Rules.

Posted by: William T. Repasky

Categories: Legislation & Regulation