January 27, 2012

On June 28, 2011, the Federal Financial Institutions Examination Council issued a supplement to the Authentication in an Internet Banking Environment guidance, originally issued in October 2005. The purpose of the supplement is to reinforce the risk-management framework described in the original guidance.

The FFIEC also wants to update financial institutions regarding supervisory expectations related to customer/member authentication, layered security, and other controls in what the council describes as an “increasingly hostile online environment.” This month, the FFIEC member agencies, including the National Credit Union Administration, began formally assessing financial institutions under the enhanced expectations outlined in the supplement.

Among other things, credit unions are expected to:

• Perform periodic risk assessments.
• Use online authentication systems appropriate to the level of risk posed by the transaction in question.
• Use “layered security programs.”
• Review use of the “device identification” and “challenge question” authentication techniques.
• Use appropriate member awareness (member education).

Periodic Risk Assessments

Credit unions should perform periodic risk assessments and adjust their member authentication controls as appropriate. At a minimum these assessments should take place every 12 months. However, credit unions should review and update their existing risk assessments as new information becomes available. For example, credit unions should make updates:

• before implementing new or modifying existing electronic financial services;
• when the credit union electronic banking member base changes; and
• in response to actual incidents.

Risk-Based Authentication Systems

The supplement recommends that credit unions implement more robust controls as the risk level of the transaction increases. Electronic transactions involving access to member information or the movement of funds to other parties are considered high-risk transactions. In addition, commercial transactions generally pose greater risk than consumer transactions because the frequency and dollar amounts are generally higher.

Layered Security Programs

Credit unions should implement a layered approach for high-risk Internet-based systems. Layered security is characterized by the use of different controls at different points in a transaction process so that a weakness in one control is generally compensated for by the strength of a different control. Some of the examples of controls listed in the supplement include:

• fraud detection and monitoring systems that consider member history and behavior;
• dual member authorization,
• the use of positive pay techniques, such as when a credit union works with a business member to systematically compare and confirm the company's record of checks issued with the checks actually presented for payment to the credit union; 
• the use of account controls, such as transaction amount thresholds and daily transaction limits,
• the use of tools to block connection to suspicious IP addresses, and
• the use of enhanced member education.

Review of Certain Authentication Techniques

The FFIEC suggests credit unions review the use of a couple of authentication techniques, namely device identification and challenge questions. Credit unions should not rely on device identification that simply uses a cookie loaded on the member’s PC. This type of cookie may be copied and moved to a fraudster’s PC. A preferred form of device identification is one that uses “one-time” cookies and creates a more complex digital fingerprint by looking at a number of characteristics, including PC configuration, Internet protocol address, geo-location and other factors.

Similarly, credit unions should not use challenge questions that can often be easily answered by an impostor who knows the member or has used an Internet search engine to get information about the member. Challenge questions can be implemented more effectively using sophisticated “out of wallet” questions, such as “What was your first pet’s name?” and “What color was your first car?” The true owner would know the answer but not likely carry it in his or her wallet.

They are much more difficult for an impostor to answer correctly because they do not rely on information that is publicly available. In addition, solutions that use multiple challenge questions, without exposing all the questions in one session, are more effective than using a single challenge question.

Member Awareness

Finally, the supplement recommends that credit unions educate both retail and commercial account holders. Examples of topics to address include:

• an explanation of protections provided, and not provided, under Regulation E;
• an explanation of if, when and how the credit union would contact a member – on an unsolicited basis – and request the member’s electronic banking credentials; 
• a suggestion that commercial online banking users periodically perform a risk assessment and controls evaluation;
• a list of steps members can take to mitigate their own risk; and,
• a listing of credit union contacts for members to report suspicious account activity or report a security-related experience.

Karl Leslie is a managing attorney for Wolters Kluwer Financial Services. Leslie has been with Wolters Kluwer Financial Services for 22 years. For the past 12 years, has primarily focused on compliance topics related to deposit and share accounts, in particular issues related to electronic fund transfers, Truth in Savings, funds availability, online banking and account documentation.